Re: Securing SSH: Does disabling password authentication work?

To: debian-user@lists.debian.org
Subject: Re: Securing SSH: Does disabling password authentication work?
From: John Schmidt <john.schmidt@utah.edu>
Date: Tue, 4 Oct 2005 04:51:39 -0600
Message-id: <[🔎] 200510040451.42400.john.schmidt@utah.edu>
In-reply-to: <[🔎] 20051003203930.GG17122@fornost.com>
References: <[🔎] 20051003194901.GE17122@fornost.com> <[🔎] Pine.LNX.3.96.1051003132246.12414A-100000@Maggie.Linux-Consulting.com> <[🔎] 20051003203930.GG17122@fornost.com>

On Monday 03 October 2005 02:39 pm, Steve Block wrote:
> On Mon, Oct 03, 2005 at 01:24:27PM -0700, Alvin Oga wrote:
> >On Mon, 3 Oct 2005, Steve Block wrote:
> >> I'm afraid you didn't read at all, did you? Start from the top of the
> >> thread and read again, and you'll see that my question had nothing to do
> >
> >u sure do have an whacky attitude for being the one that is cracked
> >
> >the answer still is no...  you are not any more secure
> >for the sme identical reasons posted previously that you didnt
> >read/understand to use your own words :-)
>
> Who said anyone was cracked? I'm trying to take a proactive security
> approach here.
>
> Let me clarify. In a default debian/sarge install there are three
> available SSH authentication options:
>
> 1) password
> 2) keyboard-interactive with pam (would allow auth against LDAP or any
> other authentication method possible with pam)
> 3) public/private keys
>
> According to what I can see from my logs, these automated attempts are
> trying to use the first method to log in. The second method is what the
> standard OpenSSH client uses by default when no keys are being used, and
> the log report for a failed login of this type is different than for the
> automated attempts. I prefer to use the third method myself, but like I
> said I am unwilling to only allow that method.
>
> I edited my ssh config file to disable the first method, leaving only 2)
> and 3) available. With the second method a user can still log in with
> their system password (default pam configuration) but the authentication
> is handled by pam and not the ssh server itself (I think). My users
> obviously haven't noticed, and I still normally use keys. I just want to
> know if it has made it impossible for the automated dictionary attacks
> to log in (the current generation, anyways).
>
> Sorry if I sounded snippy, it's just hard to find any solid info on
> this.
>
> --
> Steve Block
> http://ev-15.com/
> http://steveblock.com/
> scblock@ev-15.com

Steve,

You may want to take a look at the debian package harden-doc.  They have a 
section about securing ssh as well as a wealth of information about securing 
your system.  This is no means exhaustive, but it will help.

John

Reply to:

References:
- Re: Securing SSH: Does disabling password authentication work?
  - From: Steve Block <scblock@ev-15.com>
- Re: Securing SSH: Does disabling password authentication work?
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>
- Re: Securing SSH: Does disabling password authentication work?
  - From: Steve Block <scblock@ev-15.com>

Prev by Date: Re: libmysqlclient12 and libmysqlclient14
Next by Date: apt-build suggestions
Previous by thread: Re: Securing SSH: Does disabling password authentication work?
Next by thread: Re: Securing SSH: Does disabling password authentication work?
Index(es):
- Date
- Thread